| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
- MySQL
- ida pro
- malware
- error fix
- mock.patch
- svn update
- idb2pat
- pytest
- TensorFlow
- data distribution
- NumPy Unicode Error
- Analysis
- debugging
- 포인터 매핑
- idapro
- hex-rays
- idapython
- ida
- x64
- Ransomware
- h5py.File
- Injection
- error
- Rat
- why error
- commandline
- open office xml
- javascript
- Python
- ecma
- Today
- Total
13 Security Lab
How to use WIndows WMI(Windows Management Instrumentation) using cpp 본문
How to use WIndows WMI(Windows Management Instrumentation) using cpp
Maj0r Tom 2017. 4. 21. 17:42
WMI 는 윈도우즈 전반적인 관리기능을 제공하는 인프라라고 설명하고 있다.
Windows Management InstrumentationWindows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers but WMI also supplies management data to other parts of the operating system and products, for example System Center Operations Manager, formerly Microsoft Operations Manager (MOM), or Windows Remote Management (WinRM). |
유저 입장에서는 WMI는 윈도우즈의 기능들을 쓰기위한 인터페이스에 가깝게 생각 되며, 좀 더 와 닿는 표현으로는 "WMI의 핵심은 다양한 시스템 자원을 단일한 인터페이스와 일관된 데이터 스키마를 통해 관리하고자 하는 것" 인 것 같다.
이를 쓰기 위해서는 쉘커맨드(스크립팅)를 이용하는 것과 COM객체를 사용하는 방법이 있다
COM객체를 이용한 코딩을 하는 경우 컴파일러 설정에 COM객체를 참조추가 해주어야 한다.
작성 코드 예제
헤더 추가
|
1
2
|
#include <wbemidl.h> // For WMI
#pragma comment(lib, "wbemuuid.lib") // Link to WMI library. (Can do in library includes instead)
|
|
함수 본문
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
// =======================================================================================================
// *Parameters (Only Unicode for WMI interface)
// [1][IN] WMI_Class
// [2][IN] WMI_Query
// [3][IN] WMI_Property
// [4][OUT] lt
// =======================================================================================================
BOOL WMI_Query(WCHAR WMI_Class[], WCHAR WMI_Query[], WCHAR WMI_Property[], std::list<string> <)
{
HRESULT hr = ::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE,
NULL, EOAC_NONE, NULL);
CComPtr<IWbemLocator> pWbemLocator; //종료시점에 자동 release
hr = pWbemLocator.CoCreateInstance(CLSID_WbemLocator);
CComPtr<IWbemServices> pWbemServices;
// Query Target
hr = pWbemLocator->ConnectServer(CComBSTR(WMI_Class), NULL, NULL, 0, NULL, 0, NULL, &pWbemServices);
if (hr != S_OK) return FALSE;
CComPtr<IEnumWbemClassObject> pEnum;
//CComBSTR cbsQuery = L"Select * from FirewallProduct"; // Query 1
CComBSTR cbsQuery = WMI_Query; // Query 1
hr = pWbemServices->ExecQuery(CComBSTR("WQL"), cbsQuery, WBEM_FLAG_FORWARD_ONLY, NULL, &pEnum);
if (hr != S_OK || pEnum == NULL) return FALSE;
ULONG uObjectCount = 0;
CComPtr<IWbemClassObject> pWmiObject;
std::string pathToSignedProductExe = "";
while (pEnum)
{
hr = pEnum->Next(WBEM_INFINITE, 1, &pWmiObject, &uObjectCount);
if (hr != S_OK) break;
CComVariant cvtpathToSignedProductExe;
//Property 정보를 얻어옴
hr = pWmiObject->Get((const unsigned short *)WMI_Property, 0, &cvtpathToSignedProductExe, 0, 0);
if (hr != S_OK) break;
//To use "WideChar to MultiChar"
USES_CONVERSION; // SET-UP to use bellow convert macro function
pathToSignedProductExe = W2A(cvtpathToSignedProductExe.bstrVal);
string dirPath;
const size_t last_slash_idx = pathToSignedProductExe.rfind('\\');
if (std::string::npos != last_slash_idx)
{
dirPath = pathToSignedProductExe.substr(0, last_slash_idx);
}
lt.push_back(dirPath);
pWmiObject = NULL;
}
return TRUE;
}
|
|
본문 호출
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
void main ()
{
WCHAR SecurityCenter[] = L"root\\SecurityCenter"; // Class 1
WCHAR Firewall_Query[] = L"Select * from FirewallProduct";
WCHAR Property_ProductPath[] = L"pathToSignedProductExe";
std::list<string> lt;
HRESULT hr = ::CoInitializeEx(NULL, COINIT_MULTITHREADED);
WMI_Query(SecurityCenter2, AntiVirus_Query, Property_ProductPath, lt);
::CoUninitialize();
//Print list
list<string>::iterator list_iter;
for (list_iter = lt.begin(); list_iter != lt.end(); ++list_iter) cout<< *list_iter << endl;
}
|
|
WMI란?
http://csd144000.tistory.com/8
윈도우 방화벽 관련
http://crystalcube.co.kr/entry/%EC%9C%88%EB%8F%84%EC%9A%B0-%EB%B0%A9%ED%99%94%EB%B2%BD-%ED%95%B4%EC%A0%9C%ED%95%98%EB%8A%94-%EB%B0%A9%EB%B2%95
http://crystalcube.co.kr/48
